PHP sends verification emails and uses the get method to process verification information

Today, I studied the process of sending verification emails using PHP. The basic process is as follows: the user fills in the registration information and submits it. After the verification is passed in the background, a system email is sent to the user's mailbox, there is a link in the email. The user enters the registered email address to receive the email and clicks the link to complete user verification. The idea is still very clear, and most users register websites. Here is a detail. Generally, for the sake of get security, the Verification Code uses ciphertext, And the ciphertext obtained through get is decoded and then compared with the plaintext verification code in the database. Some friends may consider storing ciphertext in the database, so that they can directly get the get to the database for query. This is convenient, but it is dangerous to directly query the database without processing the user data, because it is very likely that hackers will exploit this link to inject SQL statements.

For the mail sending part in PHP, although PHP has built-in mail () method to facilitate mail sending, for personal computer users who do not have an SMTP server, configure SMTPProgramIt is still troublesome. Phpmailer library is recommended here. You can use phpmailer to quickly implement powerful php mail functions. We recommend two blogs here: How PHP sends emails and how phpmailer sends emails. In addition, you need to change the configuration of PHP. ini; Extension = php_openssl.dll and; Extension = php_sockets.dll; both must be removed to enable these two modules.

The next task is encryption and decryption. I thought that the following was a problem. For encryption and decryption, I first thought of the powerful mcrypt library, and then I saw this blog. It was quite simple. I wrote two methods: encryption and decryption. It is intended to be used before a verification email is sent, and for receiving users to click the activation link and then get the verification code and use it. Then I encountered a problem. The first problem is that the mcrypt_create_iv function is encrypted by the second parameter.AlgorithmThe introduction of randomness helps increase the encryption strength. But how can I pass the returned value generated during encryption (assuming $ IV) to the decryption method? This was a big problem for me. Later I saw this sentence when I checked the official documentation.You can set the second parameter of the mcrypt_create_iv function to a zero-character string, that is, "00000000". If this randomness is not required, it is not recommended.. So I tried to solve the parameter transfer problem. In fact, the session mechanism was also considered during this period, and later I thought it was still inappropriate. The second problem is even more bizarre. I tried a verification code like "123456789" and encrypted it to generate a strange string. Because it was to be part of a URL, he was urlencode encoded, this "% 15" is generated% 27% C9 % 03% 9C% 1A % B0 % 98 S % 10e % 84% 96% 11 tJ "is an odd string. Then in the decryption method, I followed the reverse process to urldecode and then decrypted with mcrypt. The $ _ get returned from the result is incorrect. It is a string like "'etj, this makes me sad and puzzled. In fact, I also did a test later. I skipped the mail and sent it back. After urledcode, urldecode and then mcrypt were correct. This question cannot be answered by experts !!

When I was so disheartened that I was about to discard this encryption method, I saw another encryption method. This is the base64 Encryption Method built in PHP, but this encryption method is relatively simple, custom keys are not provided. However, after the test, it was found that the ciphertext generated by the system is much more "normal" than the ciphertext generated by mcrypt encryption. Later, the system was able to perform double encryption, and mcrypt was used to generate a ciphertext, then, encrypt base6_encode to generate a rule ciphertext, and then urlencode into a URL format string to write the URL of the activation link. After the get is returned, it is decrypted in reverse order. Finally, the strange phenomenon before the test disappears and the original plaintext is obtained. Haha, this can be found !! After this is done, the subsequent tasks are simple, with only the database queries left, and there is no need to worry about being injected with SQL during database queries.

Last partCode.

 
Public Function encodingverification () {$ this-> load-> Library ("coding"); $ arr = $ this-> coding-> encoding (); // var_dump ($ ARR); // $ T = $ this-> coding-> decoding (urldecode (urlencode ($ arr ['encrypted']); // echo $ t; $ content = "http: // localhost/localproject/ciapp/index. PHP/mail/getverification? V = ". urlencode (base64_encode ($ arr ['encrypted']); $ this-> mymail ($ content );}
 

Public Function decodingverification ($ ARR) {$ this-> load-> Library ("coding"); $ vcode = $ this-> coding-> decoding ($ ARR ); return $ vcode ;}
 

 
Public Function getverification () {// echo $ _ Get ['V']; // echo "\ n ". urldecode ($ _ Get ['V']); $ v = $ this-> decodingverification (base64_decode (urldecode ($ _ Get ['V']); echo "\ n ". $ V ;}